#1139627 ldns: CVE-2026-10846

Package:
src:ldns
Source:
src:ldns
Submitter:
Salvatore Bonaccorso
Date:
2026-06-10 17:21:01 UTC
Severity:
normal
Tags:
#1139627#5
Date:
2026-06-10 10:59:32 UTC
From:
To:
Hi,

The following vulnerability was published for ldns.

CVE-2026-10846[0]:
| NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used
| in applications as (stub) resolver over UDP, lacks matching the
| query destination address and port with the response source address
| and port. Furthermore not the query ID, neither the question of the
| query is matched with that of the response. This makes applications,
| that use ldns for (stub) resolver functionality over UDP, vulnerable
| for off-path poisoning attacks. The drill tool, which is shipped
| with ldns, suffers from this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-10846
https://www.cve.org/CVERecord?id=CVE-2026-10846
[1] https://www.nlnetlabs.nl/downloads/ldns/CVE-2026-10846.txt

Regards,
Salvatore
#1139627#14
Date:
2026-06-10 17:19:55 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
ldns, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1139627@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated ldns package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 10 Jun 2026 20:11:20 +0300
Source: ldns
Architecture: source
Version: 1.9.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 1139627
Changes:
 ldns (1.9.2-1) unstable; urgency=medium
 .
   * new upstream bugfix release, including
   - Match question from query in response, and...
   - Fix to check address and port and TXID
     Closes: #1139627, CVE-2026-10846
   * update the upstream signing key
Checksums-Sha1:
 9b5393e249fb510f6213535f2ed01df18d8778d4 2573 ldns_1.9.2-1.dsc
 d197d9fb46e1802a7160368b38bf063b493f1be1 1308193 ldns_1.9.2.orig.tar.gz
 f18fbce070bb1c0e23a3dc1a8b434e8339535e6b 659 ldns_1.9.2.orig.tar.gz.asc
 bc4b0152d7e4729d37e5b0f852c285da7021e242 15784 ldns_1.9.2-1.debian.tar.xz
 9ba57e48e1f3150908737bdc625ce72a74288a4c 6672 ldns_1.9.2-1_source.buildinfo
Checksums-Sha256:
 f7c8537d110b3c379597d479f7a3696cc6c49502588ce775fb5283837d1ff751 2573 ldns_1.9.2-1.dsc
 b524fa21994b6e834200ceb8c27f1b84bda5982fe35706f058196c079db94d5d 1308193 ldns_1.9.2.orig.tar.gz
 a28c7ca6d5a2f3828c40957cf594dee38e21790751ac8f5e3c87490263dbe55b 659 ldns_1.9.2.orig.tar.gz.asc
 26222d25c095738fe40b86c89fa2fcdd76ce1807e3637c2c9b5cd0099c6e20a8 15784 ldns_1.9.2-1.debian.tar.xz
 2d7ee57c4defdf54fcbafd45e84c08998a88c8772f09b27a8c0850bdbb54f226 6672 ldns_1.9.2-1_source.buildinfo
Files:
 1551c666d7fc2c0b08d3d46648a2beb5 2573 net optional ldns_1.9.2-1.dsc
 6d17848f387d7aa2e9daf7d6ac3c1b13 1308193 net optional ldns_1.9.2.orig.tar.gz
 e767b9491242e572282d5cb8a5c769f2 659 net optional ldns_1.9.2.orig.tar.gz.asc
 4d5cd910018863993f95fec763dbfd17 15784 net optional ldns_1.9.2-1.debian.tar.xz
 a7b9b44264ac513359700cc57f8a30e4 6672 net optional ldns_1.9.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJqKZrOCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmdteX8qLYLXMJ+GdeEuzu4drQ3Cuxx2T8h2T6fuQVSj
9hYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AAC+dQ/9HzhDXsgP/c0p3J0dN5mXnSTB
tIYBIYL9rxPBOHB3whtAvWGjPYfMWglH/j/GdQlSjJM7MRi47dGcqyLGdFDGa49T
Kd8mvP2IFCBYr5PHDShLKVT10B3UcAe6j241ALQmW69cbZk2kUMxfTED/0NPGRVT
IOM2PnbqxbuGg5UNuWI4Qx0dzMEYq+TVi3nMq2df94enRqe+ldIiyn/KkTm/3j4A
YXwOz5lZj2M0sen4CfU5je+VGm5ZWAYvzJ3Zg818KKwtHllsUNsy2Vi5nLBqAj4e
esoNLk9RxJ+GHWFxyS8LdhtzzhJvd/RFdH09WE4nyiwpUzOfp464oIFby4iLdj6v
1Zg2mxwhjs5zhu8sgEXLHlmvVFv9Lw+uBLRs4nsJCLTaGDKk/fx1+5fEJjXQlW3g
dlzCm4q3sCSDDhtLY4aqieBV0fUvZ2G/pX0jk3aphIxYHvmYOLQn9N04Xw7WyzUV
uUpK+Xb4qdkyDQwXulq8qQsnD9cIGz1gFgTBJ5nU0m6rsosm9aKPbZDKlB9kbI7u
LJGOVZjUsFf3/jHOBvC5abgB3VB53Q3TLmvcu7nbMcBvx2UGS8kH/Vt9mZKoa2dX
B7Bt6+v3HJGQ0RgDQtuuGu433upyXxutp3Pp9D1gRjWQMzKq5MJjOcJOXE2XiAdA
ZkEcF9z7XjNCUG4VxBs=
=+e+/
-----END PGP SIGNATURE-----